# Ghidrecomp - Command Line Ghidra Decompiler
<p align="center">
<img align="center" alt="GitHub Workflow Status (with event)" src="https://img.shields.io/github/actions/workflow/status/clearbluejar/ghidrecomp/pytest-devcontainer.yml?label=pytest&style=for-the-badge">
<img align="center" alt="PyPI - Downloads" src="https://img.shields.io/pypi/dm/ghidrecomp?color=yellow&label=PyPI%20downloads&style=for-the-badge">
<img align="center" src="https://img.shields.io/github/stars/clearbluejar/ghidrecomp?style=for-the-badge">
</p>
## About
This Python command line tool decompiles all functions of a binary and writes them to a directory in separate `C` files:
```mermaid
flowchart LR
a(filename ) --> b[ghidrecomp]
a2[(Symbol Server)] --> b
b --> e(Ghidra Project Files)
b --> output
subgraph output
subgraph decompilations
direction LR
i(func1.c)
h(func2.c)
f(funcB.c)
end
subgraph callgraphs
direction LR
j(callgraph1.md)
k(callgraph2.md)
l(callgraphN.md)
end
subgraph bsim-xml
direction LR
n(sig-md5-bin1.xml)
m(sig-md5-bin2.xml)
o(sig-md5-binN.xml)
end
end
```
Or a single file `C` and header file with `--cppexport`:
```mermaid
flowchart LR
a(filename ) --> b[ghidrecomp]
a2[(Symbol Server)] --> b
b --> e(Ghidra Project Files)
b --> singlefile
subgraph singlefile
direction LR
s1(all_funcs.c)
s2(all_funcs.h)
end
```
The main purpose for this is to use the decomplilations for research and analysis. The tool relies on [Ghidra](https://ghidra-sre.org/) for decompilation and communicates to Ghidra with `jpype` via `pyhidra`.
## TOC
- [Ghidrecomp - Command Line Ghidra Decompiler](#ghidrecomp---command-line-ghidra-decompiler)
- [About](#about)
- [TOC](#toc)
- [Features](#features)
- [Usage](#usage)
- [Output Files Tree](#output-files-tree)
- [Example Usage with Windows afd.sys:](#example-usage-with-windows-afdsys)
- [Command line](#command-line)
- [Output](#output)
- [Decompilation Output Dir](#decompilation-output-dir)
- [Example usage in Docker container](#example-usage-in-docker-container)
- [Command (Host)](#command-host)
- [Run in docker on /bin/ls](#run-in-docker-on-binls)
- [Output](#output-1)
- [Decompilation Output Dir](#decompilation-output-dir-1)
- [Example Usage with Windows afd.sys Callgraph:](#example-usage-with-windows-afdsys-callgraph)
- [Command line](#command-line-1)
- [Output](#output-2)
- [Sample Calling Callgraph Output AfdRestartDgConnect:](#sample-calling-callgraph-output-afdrestartdgconnect)
- [Sample MindMap Output for AfdRestartDgConnect](#sample-mindmap-output-for-afdrestartdgconnect)
- [Example BSim signature generation](#example-bsim-signature-generation)
- [Command line](#command-line-2)
- [Output](#output-3)
- [Files generated](#files-generated)
- [Installation](#installation)
- [Windows](#windows)
- [Linux / Mac](#linux--mac)
- [Devcontainer / Docker](#devcontainer--docker)
- [Option 1 - Devcontainer](#option-1---devcontainer)
- [Option 2 - Docker](#option-2---docker)
## Features
*all these features are ultimately provided by Ghidra*
- Decompile all the functions (threaded)
- to a folder (`-o OUTPUT_PATH`)
- to a single c file and header file (`--cppexport`)
- Auto-downloaded symbols for supported symbol servers (`-s SYMBOLS_PATH`)
- https://msdl.microsoft.com/download/symbols/
- https://chromium-browser-symsrv.commondatastorage.googleapis.com/
- https://symbols.mozilla.org/
- https://software.intel.com/sites/downloads/symbols/
- https://driver-symbols.nvidia.com/
- https://download.amd.com/dir/bin/
- Specify the pdb for the binary (`--sym-file-path`)
- Filter functions to decompile that match regex (`--filter`)
- Apply custom data types (`--gdt`)
## Usage
```
usage: ghidrecomp [-h] [--cppexport] [--filter FILTERS] [--project-path PROJECT_PATH] [--gdt [GDT]] [-o OUTPUT_PATH] [-v] [--skip-cache]
[--sym-file-path SYM_FILE_PATH | -s SYMBOLS_PATH | --skip-symbols] [-t THREAD_COUNT] [--va] [--fa]
[--max-ram-percent MAX_RAM_PERCENT] [--print-flags] [--callgraphs] [--callgraph-filter CALLGRAPH_FILTER] [--mdd MAX_DISPLAY_DEPTH]
[--max-time-cg-gen MAX_TIME_CG_GEN] [--cg-direction {calling,called,both}] [--bsim] [--bsim-sig-path BSIM_SIG_PATH]
[--bsim-template BSIM_TEMPLATE] [--bsim-cat BSIM_CAT]
bin
ghidrecomp - A Command Line Ghidra Decompiler
positional arguments:
bin Path to binary used for analysis
options:
-h, --help show this help message and exit
--cppexport Use Ghidras CppExporter to decompile to single file (default: False)
--filter FILTERS Regex match for function name (default: None)
--project-path PROJECT_PATH
Path to base ghidra projects (default: ghidra_projects)
--gdt [GDT] Additional GDT to apply (default: None)
-o OUTPUT_PATH, --output-path OUTPUT_PATH
Location for all decompilations (default: ghidrecomps)
-v, --version show program's version number and exit
--skip-cache Skip cached and genearate new decomp and callgraphs. (default: False)
--sym-file-path SYM_FILE_PATH
Specify single pdb symbol file for bin (default: None)
-s SYMBOLS_PATH, --symbols-path SYMBOLS_PATH
Path for local symbols directory (default: symbols)
--skip-symbols Do not apply symbols (default: False)
-t THREAD_COUNT, --thread-count THREAD_COUNT
Threads to use for processing. Defaults to cpu count (default: 12)
--va Enable verbose analysis (default: False)
--fa Force new analysis (even if already analyzed) (default: False)
JVM Options:
--max-ram-percent MAX_RAM_PERCENT
Set JVM Max Ram % of host RAM (default: 50.0)
--print-flags Print JVM flags at start (default: False)
Callgraph Options:
--callgraphs Generate callgraph markdown (default: False)
--callgraph-filter CALLGRAPH_FILTER
Only generate callgraphs for functions matching filter (default: .)
--mdd MAX_DISPLAY_DEPTH, --max-display-depth MAX_DISPLAY_DEPTH
Max Depth for graph generation (default: None)
--max-time-cg-gen MAX_TIME_CG_GEN
Max time in seconds to wait for callgraph gen. (default: 5)
--cg-direction {calling,called,both}
Direction for callgraph. (default: calling)
BSim Options:
--bsim Generate BSim function feature vector signatures (default: False)
--bsim-sig-path BSIM_SIG_PATH
Path to store BSim xml sigs (default: bsim-xmls)
--bsim-template BSIM_TEMPLATE
BSim database template (default: medium_nosize)
--bsim-cat BSIM_CAT BSim category. (type:value) --bsim-cat color:red (default: None)
```
## Output Files Tree
All files:
```bash
$ tree -L 2 ghidrecomps/ | more
ghidrecomps/
├── bins
│ ├── afd.sys.10.0.22621.1415-b4c4b6ef5980df8440fb26daffb4118f
│ └── ls_aarch64-fffefca59f1dcb04e318b6b26fa1b50e
├── bsim-xmls
│ └── sigs_fffefca59f1dcb04e318b6b26fa1b50e_ls_aarch64
├── ghidra_projects
│ ├── afd.sys.10.0.22621.1415-b4c4b6ef5980df8440fb26daffb4118f
│ └── ls_aarch64-fffefca59f1dcb04e318b6b26fa1b50e
└── symbols
├── 000admin
├── afd.pdb
└── pingme.txt
```
Decomps and callgraphs:
```bash
$ tree -L 2 ghidrecomps/bins/
ghidrecomps/bins/
├── afd.sys.10.0.22621.1415-b4c4b6ef5980df8440fb26daffb4118f
│ ├── callgraphs
│ └── decomps
└── ls_aarch64-fffefca59f1dcb04e318b6b26fa1b50e
└── decomps
```
## Example Usage with Windows afd.sys:
### Command line
```bash
wget https://msdl.microsoft.com/download/symbols/afd.sys/50989142a9000/afd.sys -O afd.sys.10.0.22621.1415
ghidrecomp afd.sys.10.0.22621.1415
```
### Output
```bash
Starting decompliations: Namespace(bin='tests/data/afd.sys.10.0.22621.1344', cppexport=False, filters=None, project_path='.ghidra_projects', output_path='decompilations', sym_file_path=None, symbols_path='.symbols', skip_symbols=False, thread_count=8, va=False)
INFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization)
INFO Using log file: /home/vscode/.ghidra/.ghidra_10.2.3_PUBLIC/application.log (LoggingInitialization)
INFO Loading user preferences: /home/vscode/.ghidra/.ghidra_10.2.3_PUBLIC/preferences (Preferences)
INFO Class search complete (766 ms) (ClassSearcher)
INFO Initializing SSL Context (SSLContextInitializer)
INFO Initializing Random Number Generator... (SecureRandomFactory)
INFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory)
INFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory)
INFO Creating project: /workspaces/ghidrecomp/.ghidra_projects/afd.sys.10.0.22621.1344/afd.sys.10.0.22621.1344 (DefaultProject)
INFO Using Loader: Portable Executable (PE) (AutoImporter)
Setting up Symbol Server for symbols...
path: .symbols level: 1
Loaded well known /ghidra/Ghidra/Configurations/Public_Release/data/PDB_SYMBOL_SERVER_URLS.pdburl' length: 883'
Symbol Server Configured path: SymbolServerService:
symbolStore: LocalSymbolStore: [ rootDir: /workspaces/ghidrecomp/.symbols, storageLevel: -1],
symbolServers:
HttpSymbolServer: [ url: https://msdl.microsoft.com/download/symbols/, storageLevel: -1]
HttpSymbolServer: [ url: https://chromium-browser-symsrv.commondatastorage.googleapis.com/, storageLevel: -1]
HttpSymbolServer: [ url: https://symbols.mozilla.org/, storageLevel: -1]
HttpSymbolServer: [ url: https://software.intel.com/sites/downloads/symbols/, storageLevel: -1]
HttpSymbolServer: [ url: https://driver-symbols.nvidia.com/, storageLevel: -1]
HttpSymbolServer: [ url: https://download.amd.com/dir/bin/, storageLevel: -1]
Analyzing program afd.sys.10.0.22621.1344
INFO PDB analyzer parsing file: /workspaces/ghidrecomp/.symbols/afd.pdb/14FBAE3662AD9F7B9D33AA9228D2554A1/afd.pdb (PdbUniversalAnalyzer)
INFO Resolve time: 0 mS (DefaultPdbApplicator)
INFO resolveCount: 0 (DefaultPdbApplicator)
INFO PDB Terminated Normally (DefaultPdbApplicator)
WARN Decompiling 1c0001340, pcode error at 1c000000c: Unable to resolve constructor at 1c000000c (DecompileCallback)
INFO Packed database cache: /tmp/vscode-Ghidra/packed-db-cache (PackedDatabaseCache)
WARN Decompiling 1c0001340, pcode error at 1c000000c: Unable to resolve constructor at 1c000000c (DecompileCallback)
INFO -----------------------------------------------------
ASCII Strings 0.343 secs
Apply Data Archives 0.548 secs
Call Convention ID 0.025 secs
Call-Fixup Installer 0.013 secs
Create Address Tables 0.039 secs
Create Address Tables - One Time 0.076 secs
Create Function 0.232 secs
Data Reference 0.126 secs
Decompiler Parameter ID 10.939 secs
Decompiler Switch Analysis 0.442 secs
Demangler Microsoft 0.089 secs
Disassemble 0.007 secs
Disassemble Entry Points 1.959 secs
Disassemble Entry Points - One Time 0.005 secs
Embedded Media 0.020 secs
External Entry References 0.000 secs
Function ID 0.805 secs
Function Start Search 0.038 secs
Non-Returning Functions - Discovered 0.132 secs
Non-Returning Functions - Known 0.012 secs
PDB Universal 2.810 secs
Reference 0.104 secs
Scalar Operand References 0.601 secs
Shared Return Calls 0.219 secs
Stack 5.164 secs
Subroutine References 0.113 secs
Subroutine References - One Time 0.026 secs
Windows x86 PE Exception Handling 0.027 secs
Windows x86 PE RTTI Analyzer 0.005 secs
Windows x86 Thread Environment Block (TEB) Analyzer 0.038 secs
WindowsResourceReference 0.124 secs
x86 Constant Reference Analyzer 5.755 secs
-----------------------------------------------------
Total Time 30 secs
-----------------------------------------------------
(AutoAnalysisManager)
Decompiling 1275 functions using 8 threads
Setup 8 decompliers
WARN Decompiling 1c0001340, pcode error at 1c000000c: Unable to resolve constructor at 1c000000c (DecompileCallback)
Completed 100 and 7%
Completed 200 and 15%
Completed 300 and 23%
Completed 400 and 31%
Completed 500 and 39%
Completed 600 and 47%
Completed 700 and 54%
Completed 800 and 62%
Completed 900 and 70%
Completed 1000 and 78%
Completed 1100 and 86%
Completed 1200 and 94%
Decompiled 1275 functions for afd.sys.10.0.22621.1344 in 13.469883680343628
Wrote 1275 decompilations for afd.sys.10.0.22621.1344 to decompilations/afd.sys.10.0.22621.1344 in 3.174959659576416
```
### Decompilation Output Dir
```bash
$ tree ghidrecomps | more
ghidrecomps/
└── afd.sys
├── AFDETW_TRACEDATA_INDICATION-1c0008d00.c
├── AFDETW_TRACEDISCONNECT-1c000f884.c
├── AFDETW_TRACELISTEN-1c0016778.c
├── AFDETW_TRACEOPTION-1c0012660.c
├── AFDETW_TRACERECV-1c0001e38.c
├── AFDETW_TRACERECVDATAGRAM-1c0009ef0.c
├── AFDETW_TRACESEND-1c000d19c.c
├── AFDETW_TRACESENDDATAGRAM-1c0007d10.c
├── AFDETW_TRACESENDMSG-1c0015afc.c
├── AFDETW_TRACESENDTO-1c00162dc.c
├── AFDETW_TRACESTATUS-1c00204d2.c
├── AFDETW_TRACETRANSFER-1c004189c.c
├── AFDETW_TRACEWAITLISTEN-1c0013674.c
├── AFD_PCW_INCREMENT_DROPPED_DATAGRAMS-1c00208e4.c
├── AFD_PCW_INCREMENT_REJECTED_CONNECTIONS-1c0032aa4.c
├── AfdAbortConnection-1c0033ec4.c
├── AfdAbortTPackets-1c003d5ec.c
├── AfdAccept-1c0018300.c
├── AfdAcceptCore-1c00187d8.c
├── AfdAcquireReadLock-1c0020b54.c
├── AfdAcquireReadLockAtDpcLevel-1c000b0f4.c
├── AfdAcquireWriteLock-1c001b8ac.c
├── AfdAddAddressHandler-1c00662f0.c
├── AfdAddConnectedReference-1c000f334.c
├── AfdAddConnectionToTimerWheel-1c0036520.c
├── AfdAddFreeConnection-1c006d7cc.c
├── AfdAddressListChange$filt$0-1c001dcb7.c
├── AfdAddressListChange$filt$1-1c001dce0.c
├── AfdBuildSendMsgTracker-1c00682ac.c
... several lines omitted
```
```bash
$ cat decompilations/afd.sys.10.0.22621.1415/AfdGetRemoteAddress-1c0065500.c
```
```c
void AfdGetRemoteAddress(longlong param_1,undefined8 param_2,char param_3,undefined8 param_4,
undefined8 param_5,void *param_6,uint param_7,ulonglong *param_8)
{
ushort uVar1;
short *psVar2;
uint uVar3;
ulonglong uVar4;
undefined uVar5;
void *_Src;
undefined8 unaff_RBX;
undefined8 unaff_RSI;
undefined unaff_DIL;
char cVar7;
ulonglong _Size;
undefined unaff_R14B;
undefined unaff_R15B;
undefined unaff_retaddr;
undefined uVar8;
short *psVar9;
undefined in_stack_ffffffffffffffe0;
short *psVar6;
psVar2 = *(short **)(param_1 + 0x18);
*param_8 = 0;
psVar6 = psVar2;
cVar7 = param_3;
psVar9 = psVar2;
uVar4 = AfdLockEndpointContext((longlong)psVar2);
uVar5 = SUB81(psVar6,0);
uVar8 = SUB81(psVar9,0);
if (((uVar4 != 0) && (*psVar2 == -0x502e)) && (*(char *)(psVar2 + 1) == '\x04')) {
uVar1 = psVar2[0x5d];
uVar5 = (undefined)uVar1;
uVar3 = (uint)(ushort)psVar2[0x5c] + (uint)uVar1;
if (uVar3 < *(uint *)(psVar2 + 0x74) || uVar3 == *(uint *)(psVar2 + 0x74)) {
if (uVar1 <= param_7) {
if (param_3 != '\0') {
ProbeForWrite(param_6,uVar1,1);
}
_Size = (ulonglong)(ushort)psVar2[0x5d];
_Src = (void *)((ushort)psVar2[0x5c] + uVar4);
memcpy(param_6,_Src,_Size);
*param_8 = (ulonglong)*(uint *)(psVar2 + 0x74);
FUN_1c00655e1((char)param_6,(char)_Src,(char)_Size,(undefined)param_4,
in_stack_ffffffffffffffe0,unaff_R15B,unaff_R14B,unaff_DIL,unaff_retaddr,uVar8,
unaff_RBX,unaff_RSI);
return;
}
FUN_1c00655e1(uVar5,(undefined)param_2,cVar7,(undefined)param_4,in_stack_ffffffffffffffe0,
unaff_R15B,unaff_R14B,unaff_DIL,unaff_retaddr,uVar8,unaff_RBX,unaff_RSI);
return;
}
}
FUN_1c00655e1(uVar5,(undefined)param_2,cVar7,(undefined)param_4,in_stack_ffffffffffffffe0,
unaff_R15B,unaff_R14B,unaff_DIL,unaff_retaddr,uVar8,unaff_RBX,unaff_RSI);
return;
}
```
## Example usage in Docker container
### Command (Host)
```bash
% mkdir ghidrecomps
% docker run --rm -it -v $(pwd)/ghidrecomps:/ghidrecomps ghcr.io/clearbluejar/ghidrecomp:latest
Unable to find image 'ghcr.io/clearbluejar/ghidrecomp:latest' locally
latest: Pulling from clearbluejar/ghidrecomp
df2021ddb7d6: Already exists
8d647f1dd7e7: Already exists
5cdd9a70365f: Already exists
95089c600b36: Already exists
031bfcddba4a: Already exists
3e388e9ee67f: Already exists
c8dd6e41498c: Already exists
6997e1686b99: Already exists
ee33bc143a6a: Already exists
5be89ff28daf: Already exists
ba22b50e2816: Already exists
a10ea6edf9a9: Already exists
01795477b75e: Already exists
85b3b893a1c1: Already exists
53738c41768c: Already exists
bd57d1a46c3c: Already exists
117d78b0cfb7: Already exists
15235f090f28: Already exists
4f4fb700ef54: Pull complete
13c463db881b: Pull complete
dac212319919: Pull complete
6855adc3f8b8: Pull complete
96069363e29e: Pull complete
b7f172785aba: Pull complete
05aed184d971: Pull complete
611f58da3b2c: Pull complete
Digest: sha256:1e7d47267b7a0a31805822c11f891cd502485a42c88bb0ad6292a34e930c6108
Status: Downloaded newer image for ghcr.io/clearbluejar/ghidrecomp:latest
usage: ghidrecomp [-h] [--cppexport] [--filter FILTERS] [--project-path PROJECT_PATH] [--gdt [GDT]] [-o OUTPUT_PATH] [-v] [--skip-cache]
[--sym-file-path SYM_FILE_PATH | -s SYMBOLS_PATH | --skip-symbols] [-t THREAD_COUNT] [--va] [--fa] [--max-ram-percent MAX_RAM_PERCENT] [--print-flags]
[--callgraphs] [--callgraph-filter CALLGRAPH_FILTER] [--mdd MAX_DISPLAY_DEPTH] [--max-time-cg-gen MAX_TIME_CG_GEN]
[--cg-direction {calling,called,both}]
bin
ghidrecomp: error: the following arguments are required: bin
```
### Run in docker on /bin/ls
```bash
$ docker run --rm -it -v $(pwd)/ghidrecomps:/ghidrecomps ghcr.io/clearbluejar/ghidrecomp:latest /bin/ls
```
#### Output
```bash
Starting decompliations: Namespace(bin='/bin/ls', cppexport=False, filters=None, project_path='.ghidra_projects', gdt=None, output_path='decompilations', skip_cache=False, sym_file_path=None, symbols_path='.symbols', skip_symbols=False, thread_count=12, va=False, fa=False, max_ram_percent=50.0, print_flags=False, callgraphs=False, callgraph_filter='.', max_display_depth=None, max_time_cg_gen=5, cg_direction='calling')
INFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization)
INFO Using log file: /home/vscode/.ghidra/.ghidra_11.0_PUBLIC/application.log (LoggingInitialization)
INFO Loading user preferences: /home/vscode/.ghidra/.ghidra_11.0_PUBLIC/preferences (Preferences)
INFO Searching for classes... (ClassSearcher)
INFO Class search complete (566 ms) (ClassSearcher)
INFO Initializing SSL Context (SSLContextInitializer)
INFO Initializing Random Number Generator... (SecureRandomFactory)
INFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory)
INFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory)
INFO Creating project: /home/vscode/.ghidra_projects/ls/ls (DefaultProject)
INFO Starting cache cleanup: /tmp/vscode-Ghidra/fscache2 (FileCacheMaintenanceDaemon)
INFO Finished cache cleanup, estimated storage used: 0 (FileCacheMaintenanceDaemon)
INFO Using Loader: Executable and Linking Format (ELF) (AutoImporter)
INFO Using Language/Compiler: AARCH64:LE:64:v8A:default (AutoImporter)
Setting up Symbol Server for symbols...
path: .symbols level: 1
Loaded well known /ghidra/Ghidra/Configurations/Public_Release/data/PDB_SYMBOL_SERVER_URLS.pdburl' length: 883'
Symbol Server Configured path: SymbolServerService:
symbolStore: LocalSymbolStore: [ rootDir: /home/vscode/.symbols, storageLevel: -1],
symbolServers:
HttpSymbolServer: [ url: https://msdl.microsoft.com/download/symbols/, storageLevel: -1]
HttpSymbolServer: [ url: https://chromium-browser-symsrv.commondatastorage.googleapis.com/, storageLevel: -1]
HttpSymbolServer: [ url: https://symbols.mozilla.org/, storageLevel: -1]
HttpSymbolServer: [ url: https://software.intel.com/sites/downloads/symbols/, storageLevel: -1]
HttpSymbolServer: [ url: https://driver-symbols.nvidia.com/, storageLevel: -1]
HttpSymbolServer: [ url: https://download.amd.com/dir/bin/, storageLevel: -1]
Failed to find pdb for ls - .ProgramDB
Analyzing program ls...
Running analyzers...
INFO DWARF external debug information found: ExternalDebugInfo [filename=127c37a4c459cf01639f6ded2fcf11a49d3da9.debug, crc=2d1e7054, hash=9f127c37a4c459cf01639f6ded2fcf11a49d3da9] (ExternalDebugFilesService)
INFO Unable to find DWARF information, skipping DWARF analysis (DWARFAnalyzer)
INFO Packed database cache: /tmp/vscode-Ghidra/packed-db-cache (PackedDatabaseCache)
INFO Applied data type archive: generic_clib_64 (ApplyDataArchiveAnalyzer)
INFO -----------------------------------------------------
AARCH64 ELF PLT Thunks 0.063 secs
ASCII Strings 0.139 secs
Apply Data Archives 0.575 secs
Basic Constant Reference Analyzer 0.867 secs
Call Convention ID 0.004 secs
Call-Fixup Installer 0.005 secs
Create Address Tables 0.022 secs
Create Address Tables - One Time 0.012 secs
Create Function 0.000 secs
DWARF 0.007 secs
Data Reference 0.022 secs
Decompiler Switch Analysis 0.982 secs
Demangler GNU 0.027 secs
Disassemble 0.008 secs
Disassemble Entry Points 0.521 secs
Embedded Media 0.008 secs
External Entry References 0.000 secs
Function Start Search 0.017 secs
Function Start Search After Code 0.009 secs
Function Start Search After Data 0.010 secs
Function Start Search delayed - One Time 0.003 secs
GCC Exception Handlers 0.196 secs
Non-Returning Functions - Discovered 0.024 secs
Non-Returning Functions - Known 0.003 secs
Reference 0.064 secs
Shared Return Calls 0.035 secs
Stack 0.984 secs
Subroutine References 0.023 secs
-----------------------------------------------------
Total Time 4 secs
-----------------------------------------------------
(AutoAnalysisManager)
INFO Opening project: /home/vscode/.ghidra_projects/ls/ls (DefaultProject)
Decompiling 566 functions using 12 threads
Setup 12 decompliers
Decompiled 100 and 17%
Decompiled 200 and 35%
Decompiled 300 and 53%
Decompiled 400 and 70%
Decompiled 500 and 88%
Decompiled 566 functions for ls in 1.9280855655670166
0 decompilations already existed.
Wrote 566 decompilations for ls to decompilations/ls in 0.06782746315002441
```
### Decompilation Output Dir
```bash
vscode ➜ /tmp $ tree ghidrecomps
ghidrecomps
└── ls
├── _ITM_deregisterTMCloneTable-00134078.c
├── _ITM_registerTMCloneTable-00134358.c
├── __DT_FINI-00118930.c
├── __DT_INIT-00103730.c
├── __assert_fail-00103da0.c
├── __assert_fail-00134370.c
├── __ctype_b_loc-00103c00.c
├── __ctype_b_loc-00134288.c
├── __libc_start_main-00134190.c
├── __lxstat-00103ce0.c
├── __lxstat-001342f8.c
├── exit-00134050.c
├── fclose-00103990.c
├── fclose-00134138.c
├── fflush-00103ca0.c
├── fflush-001342d8.c
├── fflush_unlocked-00103c90.c
├── fflush_unlocked-001342d0.c
├── fgetfilecon-001037a0.c
├── fgetfilecon-00134018.c
├── fileno-00103950.c
├── fileno-00134110.c
├── fnmatch-00103c80.c
├── fnmatch-001342c8.c
├── fputc_unlocked-00103d20.c
├── fputc_unlocked-00134320.c
├── fputs_unlocked-00103d40.c
... several more omitted
```
```bash
cat decompilations/ls/FUN_0010eb20-0010eb20.c
```
```c
void * FUN_0010eb20(void *param_1,char *param_2,void **param_3)
{
size_t __n;
long lVar1;
long lVar2;
size_t __n_00;
void *__dest;
undefined *puVar3;
ulong uVar4;
undefined local_41;
lVar1 = FUN_0010e740();
lVar2 = FUN_0010e7a0(lVar1);
__n = (lVar1 - (long)param_1) + lVar2;
__n_00 = strlen(param_2);
if (lVar2 == 0) {
local_41 = 0x2e;
if (*param_2 != '/') {
local_41 = 0;
}
uVar4 = (ulong)(*param_2 == '/');
}
else if (*(char *)((long)param_1 + (__n - 1)) == '/') {
local_41 = 0;
uVar4 = 0;
}
else {
local_41 = 0x2f;
if (*param_2 == '/') {
local_41 = 0;
}
uVar4 = (ulong)(*param_2 != '/');
}
__dest = malloc(__n + 1 + __n_00 + uVar4);
if (__dest != (void *)0x0) {
puVar3 = (undefined *)mempcpy(__dest,param_1,__n);
*puVar3 = local_41;
if (param_3 != (void **)0x0) {
*param_3 = puVar3 + uVar4;
}
puVar3 = (undefined *)mempcpy(puVar3 + uVar4,param_2,__n_00);
*puVar3 = 0;
}
return __dest;
}
```
## Example Usage with Windows afd.sys Callgraph:
### Command line
Generate a decompilation and callgraph of all functions matching the function `--filter AfdRestart` and `--callgraph-filter AfdRestart`.
```bash
ghidrecomp tests/data/afd.sys.10.0.22621.1415 --callgraph-filter AfdRestart --filter AfdRestart --callgraphs
```
### Output
```bash
Starting decompliations: Namespace(bin='tests/data/afd.sys.10.0.22621.1415', cppexport=False, filters=['AfdRestart'], project_path='.ghidra_projects', gdt=None, output_path='decompilations', skip_cache=True, sym_file_path=None, symbols_path='.symbols', skip_symbols=False, thread_count=8, va=False, fa=False, max_ram_percent=50.0, print_flags=False, callgraphs=True, callgraph_filter='AfdRestart', max_display_depth=None, max_time_cg_gen=5, cg_direction='calling')
INFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization)
INFO Using log file: /home/vscode/.ghidra/.ghidra_10.3_PUBLIC/application.log (LoggingInitialization)
INFO Loading user preferences: /home/vscode/.ghidra/.ghidra_10.3_PUBLIC/preferences (Preferences)
INFO Searching for classes... (ClassSearcher)
INFO Class search complete (710 ms) (ClassSearcher)
INFO Initializing SSL Context (SSLContextInitializer)
INFO Initializing Random Number Generator... (SecureRandomFactory)
INFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory)
INFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory)
INFO Opening project: /workspaces/ghidrecomp/.ghidra_projects/afd.sys.10.0.22621.1415/afd.sys.10.0.22621.1415 (DefaultProject)
Setting up Symbol Server for symbols...
path: .symbols level: 1
Loaded well known /ghidra/Ghidra/Configurations/Public_Release/data/PDB_SYMBOL_SERVER_URLS.pdburl' length: 883'
Symbol Server Configured path: SymbolServerService:
symbolStore: LocalSymbolStore: [ rootDir: /workspaces/ghidrecomp/.symbols, storageLevel: -1],
symbolServers:
HttpSymbolServer: [ url: https://msdl.microsoft.com/download/symbols/, storageLevel: -1]
HttpSymbolServer: [ url: https://chromium-browser-symsrv.commondatastorage.googleapis.com/, storageLevel: -1]
HttpSymbolServer: [ url: https://symbols.mozilla.org/, storageLevel: -1]
HttpSymbolServer: [ url: https://software.intel.com/sites/downloads/symbols/, storageLevel: -1]
HttpSymbolServer: [ url: https://driver-symbols.nvidia.com/, storageLevel: -1]
HttpSymbolServer: [ url: https://download.amd.com/dir/bin/, storageLevel: -1]
Using file gdts: [windows_vs12_64]
afd.sys.10.0.22621.1415 - .ProgramDB already analyzed... skipping
INFO Opening project: /workspaces/ghidrecomp/.ghidra_projects/afd.sys.10.0.22621.1415/afd.sys.10.0.22621.1415 (DefaultProject)
Skipped 1241 functions that failed to match any of ['AfdRestart']
Decompiling 34 functions using 8 threads
Setup 8 decompliers
Decompiled 34 functions for afd.sys.10.0.22621.1415 in 0.8643746376037598
0 decompilations already existed.
Wrote 34 decompilations for afd.sys.10.0.22621.1415 to decompilations/afd.sys.10.0.22621.1415 in 0.0516660213470459
Error: time expired for AfdLRRepostReceive func: AfdRestartBufferSend. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for AfdReuseConnection func: AfdRestartDeviceControl. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for AfdConnect func: AfdRestartSend. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for WskProControlSocketCore func: AfdRestartAbort. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for WskProIRPControlSocket func: AfdRestartDelayedAcceptListen. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for AfdSanAcceptCore func: AfdRestartDisconnect. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for AfdTPacketsBufferRead func: AfdRestartMdlReadComplete. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for AfdSanAcceptCore func: AfdRestartTPDetachedSend. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for AfdTLBindSecurityComplete func: AfdRestartTPacketsBufferRead. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for FUN_1c0023892 func: AfdRestartTPacketsMdlRead. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Error: time expired for WskProIRPControlSocket func: AfdRestartTPacketsSend. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN
Callgraphed 34 functions for afd.sys.10.0.22621.1415 in 10.055054426193237
Wrote 34 callgraphs for afd.sys.10.0.22621.1415 to decompilations/afd.sys.10.0.22621.1415/callgraphs in 10.055152416229248
0 callgraphs already existed.
```
### Sample Calling Callgraph Output AfdRestartDgConnect:
```mermaid
flowchart TD
classDef sh fill:#339933
0["AfdRestartBufferReceiveWithUserIrp"] --> 1["AfdLRRepostReceive"]
0 --> 2["AfdTLPostPendedReceives"]
3["AfdRestartSuperAccept"] --> 4["AfdContinueSuperAccept"]
5["AfdRestartAccept"] --> 6["AfdServiceSuperAccept"]
7["AfdIssueDeviceControl"] --> 8["AfdRestartDeviceControl"]
9["AfdBCommonChainedReceiveEventHandler"] --> 0
9 --> 10["AfdCommonRestartBufferReceive"]
9 --> 11["FUN_1c0008952"]
12["AfdTLConnectedReceiveEventHandler"]:::sh --> 9
13["AfdBChainedReceiveEventHandler"] --> 9
14["AfdTdiSetEventHandlers"] --> 13
14 --> 15["AfdBReceiveExpeditedEventHandler"]
14 --> 16["AfdBReceiveEventHandler"]
17["AfdRestartBufferReceive"] --> 10
18["AfdBind"]:::sh --> 14
18:::sh --> 19["AfdCreateConnection"]
18:::sh --> 20["AfdTLBindSecurity"]
18:::sh --> 21["AfdRestartBindGetAddress"]
22["AfdRestartSend"] --> 22
23["AfdTLSendComplete"] --> 22
24["AfdTLStartVcSend"] --> 23
25["AfdTLConnectEventHandler"]:::sh --> 3
25:::sh --> 26["AfdTLDelayedAcceptCompletion"]
25:::sh --> 5
16 --> 0
16 --> 1
16 --> 17
27["AfdAccept"]:::sh --> 28["AfdRestartDelayedAccept"]
27:::sh --> 29["AfdTLCancelResumeDelayAccept"]
26 --> 28
26 --> 30["AfdRestartDelayedSuperAccept"]
15 --> 16
31["AfdTLCompleteBufferUserReceive"] --> 0
32["AfdTLPostUserReceive"] --> 31
2 --> 32
10 --> 2
10 --> 1
19 --> 7
33["AfdBPostDrainReceive"] --> 17
33 --> 34["AfdTLCompleteBufferReceive"]
33 --> 10
35["AfdRestartSuperConnect"] --> 36["AfdRestartBufferSend"]
37["AfdConnectEventHandler"] --> 3
37 --> 5
38["FUN_1c000e1aa"] --> 19
38 --> 39["AfdDoDatagramConnect"]
40["AfdSendQueuedTPSend"] --> 24
40 --> 41["AfdTLBufferedSendComplete"]
42["AfdConnect"]:::sh --> 38
43["AfdSuperConnect"]:::sh --> 35
43:::sh --> 41
44["AfdTLAbortEventHandler"]:::sh --> 26
29 --> 26
1 --> 33
1 --> 0
45["AfdCompleteTPackets"] --> 40
45 --> 46["AfdTPacketsWorker"]
45 --> 47["AfdStartNextQueuedTransmit"]
48["FUN_1c0027fa2"] --> 19
49["FUN_1c0021418"] --> 36
49 --> 41
50["AfdFastConnectionSend"] --> 49
51["AfdBInitDrainBytesInTransport"] --> 1
52["FUN_1c002246f"] --> 51
52 --> 53["FUN_1c0004001"]
54["FUN_1c002ed68"] --> 29
54 --> 30
54 --> 54
54 --> 55["AfdRestartSuperAcceptListen"]
56["FUN_1c002d729"] --> 37
57["AfdTLBindComplete2"] --> 48
58["AfdRestartTPacketsMdlRead"] --> 45
58 --> 46
58 --> 59["AfdTPacketsContinueAfterRead"]
60["AfdTLDgramBindComplete"] --> 57
61["AfdFastIoDeviceControl"]:::sh --> 50
62["AfdTLBindComplete"] --> 60
62 --> 63["FUN_1c0027f76"]
62 --> 57
64["AfdTLBind"] --> 62
65["AfdTLBindSecurityComplete"] --> 64
65 --> 20
65 --> 57
20 --> 65
20 --> 64
63 --> 60
66["AfdBReceive"] --> 52
66 --> 67["FUN_1c0022408"]
68["AfdStartListen"]:::sh --> 56
69["AfdTPacketsMdlRead"] --> 58
69 --> 59
30 --> 4
6 --> 54
70["AfdFastIoWrite"]:::sh --> 50
41 --> 36
71["FUN_1c002ec66"] --> 6
71 --> 71
71 --> 72["AfdCloseConnection"]
46 --> 69
46 --> 46
46 --> 73["AfdTPacketsSend"]
46 --> 74["AfdTPacketsBufferRead"]
46 --> 75["AfdStartNextTPacketsIrp"]
76["AfdRestartSuperAcceptGetAddress"] --> 4
34 --> 10
4 --> 76
4 --> 77["AfdRestartSuperAcceptReceive"]
55 --> 4
78["AfdReceive"] --> 66
79["AfdCommonRestartTPacketsSend"] --> 46
79 --> 73
80["AfdTLRestartTPacketsSend"] --> 79
81["AfdTLTPacketsSend"] --> 80
82["AfdDispatch"] --> 78
83["DriverEntry"] --> 82
73 --> 81
73 --> 84["AfdRestartTPacketsSend"]
73 --> 75
85["AfdSanConnectHandler"]:::sh --> 6
86["FUN_1c00128c9"] --> 6
87["AfdSuperAccept"]:::sh --> 86
88["entry"]:::sh --> 83
59 --> 73
74 --> 59
74 --> 89["AfdRestartTPacketsBufferRead"]
89 --> 59
89 --> 46
90["FUN_1c0023892"] --> 51
90 --> 90
90 --> 33
91["AfdGetAddress"]:::sh --> 92["AfdRestartGetAddress"]
84 --> 79
75 --> 46
47 --> 46
93["AfdCompleteClosePendedTPackets"] --> 47
11 --> 1
94["AfdFreeNPConnectionResources"] --> 93
95["AfdFreeConnectionResources"] --> 94
96["AfdFreeConnectionEx"] --> 95
72 --> 96
97["AfdReturnNicsPackets"]:::sh --> 72
53 --> 32
67 --> 33
39 --> 98["AfdRestartDgConnect"]
```
### Sample MindMap Output for AfdRestartDgConnect
```mermaid
mindmap
root((AfdRestartDgConnect))
AfdBCommonChainedReceiveEventHandler
AfdBChainedReceiveEventHandler
AfdTLSendComplete
AfdBReceiveEventHandler
AfdBReceiveExpeditedEventHandler
AfdBReceiveEventHandler
AfdTdiSetEventHandlers
AfdTLCompleteBufferUserReceive
AfdTLPostUserReceive
AfdIssueDeviceControl
AfdTLDelayedAcceptCompletion
AfdCreateConnection
AfdTLStartVcSend
AfdRestartSuperConnect
AfdTLDelayedAcceptCompletion
AfdBPostDrainReceive
AfdCreateConnection
FUN_1c0021418
AfdLRRepostReceive
AfdTLCancelResumeDelayAccept
AfdConnectEventHandler
AfdFastConnectionSend
FUN_1c002d729
FUN_1c002ed68
FUN_1c002d729
AfdTLBufferedSendComplete
FUN_1c0021418
AfdServiceSuperAccept
AfdContinueSuperAccept
AfdServiceSuperAccept
AfdTLBufferedSendComplete
AfdSendQueuedTPSend
AfdTLCancelResumeDelayAccept
AfdServiceSuperAccept
```
## Example BSim signature generation
Use `ghidrecomp` to generate Ghidra BSim compatible feature vectors. These XMLs can later be added to a BSim database.
### Command line
```bash
ghidrecomp --bsim --bsim-cat newcat:newval
```
### Output
```bash
(.env) vscode ➜ /workspaces/ghidrecomp (bsim) $ ghidrecomp --bsim --bsim-cat newcat:newval /bin/ls
Starting decompliations: Namespace(bin='/bin/ls', cppexport=False, filters=None, project_path='ghidra_projects', gdt=None, output_path='ghidrecomps', skip_cache=False, sym_file_path=None, symbols_path='symbols', skip_symbols=False, thread_count=12, va=False, fa=False, max_ram_percent=50.0, print_flags=False, callgraphs=False, callgraph_filter='.', max_display_depth=None, max_time_cg_gen=5, cg_direction='calling', bsim=True, bsim_sig_path='bsim-xmls', bsim_template='medium_nosize', bsim_cat=['newcat:newval'])
INFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization)
INFO Using log file: /home/vscode/.ghidra/.ghidra_11.0_PUBLIC/application.log (LoggingInitialization)
INFO Loading user preferences: /home/vscode/.ghidra/.ghidra_11.0_PUBLIC/preferences (Preferences)
INFO Searching for classes... (ClassSearcher)
INFO Class search complete (660 ms) (ClassSearcher)
<several lines omitted>
Decompiled 566 functions for ls in 2.4373884201049805
0 decompilations already existed.
Wrote 566 decompilations for ls to ghidrecomps/ls/decomps in 0.16666936874389648
Generating BSim sigs for 566 functions for ls
Adding category type:newcat val:newval
Categories added: [('newcat', 'newval')]
Generated BSim sigs for 451 functions in 1.248070478439331
Sigs are in ghidrecomps/bsim-xmls/sigs_35d820f0762118215cbe19fb44e612ca_ls
```
### Files generated
```bash
$ tree ghidrecomps
ghidrecomps/
├── bsim-xmls
│ ├── sigs_35d820f0762118215cbe19fb44e612ca_ls
│ ├── sigs_b4c4b6ef5980df8440fb26daffb4118f_afd.sys.10.0.22621.1415
│ └── sigs_fffefca59f1dcb04e318b6b26fa1b50e_ls_aarch64
├── ghidra_projects
│ ├── ls
│ │ └── ls.rep
├── ls
│ └── decomps
```
## Installation
1. [Download](https://github.com/NationalSecurityAgency/ghidra/releases) and [install Ghidra](https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/stable/GhidraDocs/InstallationGuide.html#Install) and [Java](https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/stable/GhidraDocs/InstallationGuide.html#JavaNotes) required for Ghidra.
2. Set Ghidra Environment Variable `GHIDRA_INSTALL_DIR` to Ghidra install location.
3. Pip install `ghidrecomp`
### Windows
```powershell
PS C:\Users\user> [System.Environment]::SetEnvironmentVariable('GHIDRA_INSTALL_DIR','C:\ghidra_10.2.3_PUBLIC_20230208\ghidra_10.2.3_PUBLIC')
PS C:\Users\user> pip install ghidrecomp
```
### Linux / Mac
```bash
export GHIDRA_INSTALL_DIR="/path/to/ghidra/"
pip install ghidrecomp
```
### Devcontainer / Docker
Avoid installing Ghidra and Java on your host by using a **devcontainer**.
#### Option 1 - Devcontainer
[
](
https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/clearbluejar/ghidrecomp
)
Use the [.devcontainer](.devcontainer) in this repo. Click the above button if you have VS code installed. If this concept is new to you, check out : [ghidra-python-vscode-devcontainer-skeleton quick setup](https://github.com/clearbluejar/ghidra-python-vscode-devcontainer-skeleton#quick-start-setup---dev-container--best-option) which explains a bit more about dev containers.
#### Option 2 - Docker
Use the published repo image with Ghidra and Java already installed.
```bash
docker pull ghcr.io/clearbluejar/ghidrecomp:latest
docker run --user vscode --rm -it ghcr.io/clearbluejar/ghidrecomp:latest bash
```
From within the image:
```bash
vscode ➜ / $ uname -a
Linux 4da2fe33369a 5.15.49-linuxkit #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022 x86_64 GNU/Linux
vscode ➜ / $ ls /ghidra/
Extensions GPL Ghidra LICENSE bom.json docs ghidraRun ghidraRun.bat licenses server support
vscode ➜ / $ pip install ghidrecomp
Successfully installed Jpype1-1.4.1 ghidrecomp-0.1.0 packaging-23.0 pyhidra-0.4.1
```
Raw data
{
"_id": null,
"home_page": "https://github.com/clearbluejar/ghidrecomp",
"name": "ghidrecomp",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": "",
"keywords": "ghidra,decompiler,callgraph,bsim",
"author": "clearbluejar",
"author_email": "clearbluejar@clearbluejar.com",
"download_url": "https://files.pythonhosted.org/packages/40/17/2895b776cb071fa6823381f481095260f23690ef125774be1c964d61e73b/ghidrecomp-0.5.3.tar.gz",
"platform": "any",
"description": "# Ghidrecomp - Command Line Ghidra Decompiler \n\n<p align=\"center\"> \n<img align=\"center\" alt=\"GitHub Workflow Status (with event)\" src=\"https://img.shields.io/github/actions/workflow/status/clearbluejar/ghidrecomp/pytest-devcontainer.yml?label=pytest&style=for-the-badge\">\n<img align=\"center\" alt=\"PyPI - Downloads\" src=\"https://img.shields.io/pypi/dm/ghidrecomp?color=yellow&label=PyPI%20downloads&style=for-the-badge\">\n<img align=\"center\" src=\"https://img.shields.io/github/stars/clearbluejar/ghidrecomp?style=for-the-badge\">\n</p>\n\n## About\n\nThis Python command line tool decompiles all functions of a binary and writes them to a directory in separate `C` files:\n\n```mermaid\nflowchart LR\n\na(filename ) --> b[ghidrecomp]\na2[(Symbol Server)] --> b\n\nb --> e(Ghidra Project Files)\nb --> output\n\nsubgraph output\n\n subgraph decompilations\n direction LR\n i(func1.c)\n h(func2.c)\n f(funcB.c)\n end\n\n subgraph callgraphs\n direction LR\n j(callgraph1.md)\n k(callgraph2.md)\n l(callgraphN.md)\n end\n\n subgraph bsim-xml\n direction LR\n n(sig-md5-bin1.xml)\n m(sig-md5-bin2.xml)\n o(sig-md5-binN.xml)\n end\n\nend\n\n```\n\n\nOr a single file `C` and header file with `--cppexport`:\n\n\n```mermaid\nflowchart LR\n\na(filename ) --> b[ghidrecomp]\na2[(Symbol Server)] --> b\n\nb --> e(Ghidra Project Files)\n\nb --> singlefile \n\n\nsubgraph singlefile\n direction LR\n s1(all_funcs.c)\n s2(all_funcs.h)\nend\n\n\n```\n\nThe main purpose for this is to use the decomplilations for research and analysis. The tool relies on [Ghidra](https://ghidra-sre.org/) for decompilation and communicates to Ghidra with `jpype` via `pyhidra`.\n\n## TOC\n\n- [Ghidrecomp - Command Line Ghidra Decompiler](#ghidrecomp---command-line-ghidra-decompiler)\n - [About](#about)\n - [TOC](#toc)\n - [Features](#features)\n - [Usage](#usage)\n - [Output Files Tree](#output-files-tree)\n - [Example Usage with Windows afd.sys:](#example-usage-with-windows-afdsys)\n - [Command line](#command-line)\n - [Output](#output)\n - [Decompilation Output Dir](#decompilation-output-dir)\n - [Example usage in Docker container](#example-usage-in-docker-container)\n - [Command (Host)](#command-host)\n - [Run in docker on /bin/ls](#run-in-docker-on-binls)\n - [Output](#output-1)\n - [Decompilation Output Dir](#decompilation-output-dir-1)\n - [Example Usage with Windows afd.sys Callgraph:](#example-usage-with-windows-afdsys-callgraph)\n - [Command line](#command-line-1)\n - [Output](#output-2)\n - [Sample Calling Callgraph Output AfdRestartDgConnect:](#sample-calling-callgraph-output-afdrestartdgconnect)\n - [Sample MindMap Output for AfdRestartDgConnect](#sample-mindmap-output-for-afdrestartdgconnect)\n - [Example BSim signature generation](#example-bsim-signature-generation)\n - [Command line](#command-line-2)\n - [Output](#output-3)\n - [Files generated](#files-generated)\n - [Installation](#installation)\n - [Windows](#windows)\n - [Linux / Mac](#linux--mac)\n - [Devcontainer / Docker](#devcontainer--docker)\n - [Option 1 - Devcontainer](#option-1---devcontainer)\n - [Option 2 - Docker](#option-2---docker)\n\n## Features\n*all these features are ultimately provided by Ghidra*\n\n- Decompile all the functions (threaded)\n - to a folder (`-o OUTPUT_PATH`)\n - to a single c file and header file (`--cppexport`)\n- Auto-downloaded symbols for supported symbol servers (`-s SYMBOLS_PATH`)\n - https://msdl.microsoft.com/download/symbols/\n - https://chromium-browser-symsrv.commondatastorage.googleapis.com/\n - https://symbols.mozilla.org/\n - https://software.intel.com/sites/downloads/symbols/\n - https://driver-symbols.nvidia.com/\n - https://download.amd.com/dir/bin/\n- Specify the pdb for the binary (`--sym-file-path`)\n- Filter functions to decompile that match regex (`--filter`)\n- Apply custom data types (`--gdt`)\n\n## Usage\n\n```\nusage: ghidrecomp [-h] [--cppexport] [--filter FILTERS] [--project-path PROJECT_PATH] [--gdt [GDT]] [-o OUTPUT_PATH] [-v] [--skip-cache]\n [--sym-file-path SYM_FILE_PATH | -s SYMBOLS_PATH | --skip-symbols] [-t THREAD_COUNT] [--va] [--fa]\n [--max-ram-percent MAX_RAM_PERCENT] [--print-flags] [--callgraphs] [--callgraph-filter CALLGRAPH_FILTER] [--mdd MAX_DISPLAY_DEPTH]\n [--max-time-cg-gen MAX_TIME_CG_GEN] [--cg-direction {calling,called,both}] [--bsim] [--bsim-sig-path BSIM_SIG_PATH]\n [--bsim-template BSIM_TEMPLATE] [--bsim-cat BSIM_CAT]\n bin\n\nghidrecomp - A Command Line Ghidra Decompiler\n\npositional arguments:\n bin Path to binary used for analysis\n\noptions:\n -h, --help show this help message and exit\n --cppexport Use Ghidras CppExporter to decompile to single file (default: False)\n --filter FILTERS Regex match for function name (default: None)\n --project-path PROJECT_PATH\n Path to base ghidra projects (default: ghidra_projects)\n --gdt [GDT] Additional GDT to apply (default: None)\n -o OUTPUT_PATH, --output-path OUTPUT_PATH\n Location for all decompilations (default: ghidrecomps)\n -v, --version show program's version number and exit\n --skip-cache Skip cached and genearate new decomp and callgraphs. (default: False)\n --sym-file-path SYM_FILE_PATH\n Specify single pdb symbol file for bin (default: None)\n -s SYMBOLS_PATH, --symbols-path SYMBOLS_PATH\n Path for local symbols directory (default: symbols)\n --skip-symbols Do not apply symbols (default: False)\n -t THREAD_COUNT, --thread-count THREAD_COUNT\n Threads to use for processing. Defaults to cpu count (default: 12)\n --va Enable verbose analysis (default: False)\n --fa Force new analysis (even if already analyzed) (default: False)\n\nJVM Options:\n --max-ram-percent MAX_RAM_PERCENT\n Set JVM Max Ram % of host RAM (default: 50.0)\n --print-flags Print JVM flags at start (default: False)\n\nCallgraph Options:\n --callgraphs Generate callgraph markdown (default: False)\n --callgraph-filter CALLGRAPH_FILTER\n Only generate callgraphs for functions matching filter (default: .)\n --mdd MAX_DISPLAY_DEPTH, --max-display-depth MAX_DISPLAY_DEPTH\n Max Depth for graph generation (default: None)\n --max-time-cg-gen MAX_TIME_CG_GEN\n Max time in seconds to wait for callgraph gen. (default: 5)\n --cg-direction {calling,called,both}\n Direction for callgraph. (default: calling)\n\nBSim Options:\n --bsim Generate BSim function feature vector signatures (default: False)\n --bsim-sig-path BSIM_SIG_PATH\n Path to store BSim xml sigs (default: bsim-xmls)\n --bsim-template BSIM_TEMPLATE\n BSim database template (default: medium_nosize)\n --bsim-cat BSIM_CAT BSim category. (type:value) --bsim-cat color:red (default: None)\n```\n\n## Output Files Tree\n\nAll files: \n```bash\n$ tree -L 2 ghidrecomps/ | more\nghidrecomps/\n\u251c\u2500\u2500 bins\n\u2502 \u251c\u2500\u2500 afd.sys.10.0.22621.1415-b4c4b6ef5980df8440fb26daffb4118f\n\u2502 \u2514\u2500\u2500 ls_aarch64-fffefca59f1dcb04e318b6b26fa1b50e\n\u251c\u2500\u2500 bsim-xmls\n\u2502 \u2514\u2500\u2500 sigs_fffefca59f1dcb04e318b6b26fa1b50e_ls_aarch64\n\u251c\u2500\u2500 ghidra_projects\n\u2502 \u251c\u2500\u2500 afd.sys.10.0.22621.1415-b4c4b6ef5980df8440fb26daffb4118f\n\u2502 \u2514\u2500\u2500 ls_aarch64-fffefca59f1dcb04e318b6b26fa1b50e\n\u2514\u2500\u2500 symbols\n \u251c\u2500\u2500 000admin\n \u251c\u2500\u2500 afd.pdb\n \u2514\u2500\u2500 pingme.txt\n```\n\nDecomps and callgraphs:\n```bash\n$ tree -L 2 ghidrecomps/bins/\nghidrecomps/bins/\n\u251c\u2500\u2500 afd.sys.10.0.22621.1415-b4c4b6ef5980df8440fb26daffb4118f\n\u2502 \u251c\u2500\u2500 callgraphs\n\u2502 \u2514\u2500\u2500 decomps\n\u2514\u2500\u2500 ls_aarch64-fffefca59f1dcb04e318b6b26fa1b50e\n \u2514\u2500\u2500 decomps\n```\n\n\n## Example Usage with Windows afd.sys:\n\n### Command line\n```bash\nwget https://msdl.microsoft.com/download/symbols/afd.sys/50989142a9000/afd.sys -O afd.sys.10.0.22621.1415\nghidrecomp afd.sys.10.0.22621.1415\n```\n\n### Output\n```bash\nStarting decompliations: Namespace(bin='tests/data/afd.sys.10.0.22621.1344', cppexport=False, filters=None, project_path='.ghidra_projects', output_path='decompilations', sym_file_path=None, symbols_path='.symbols', skip_symbols=False, thread_count=8, va=False)\nINFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization) \nINFO Using log file: /home/vscode/.ghidra/.ghidra_10.2.3_PUBLIC/application.log (LoggingInitialization) \nINFO Loading user preferences: /home/vscode/.ghidra/.ghidra_10.2.3_PUBLIC/preferences (Preferences) \nINFO Class search complete (766 ms) (ClassSearcher) \nINFO Initializing SSL Context (SSLContextInitializer) \nINFO Initializing Random Number Generator... (SecureRandomFactory) \nINFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory) \nINFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory) \nINFO Creating project: /workspaces/ghidrecomp/.ghidra_projects/afd.sys.10.0.22621.1344/afd.sys.10.0.22621.1344 (DefaultProject) \nINFO Using Loader: Portable Executable (PE) (AutoImporter) \nSetting up Symbol Server for symbols...\npath: .symbols level: 1\nLoaded well known /ghidra/Ghidra/Configurations/Public_Release/data/PDB_SYMBOL_SERVER_URLS.pdburl' length: 883'\nSymbol Server Configured path: SymbolServerService:\n symbolStore: LocalSymbolStore: [ rootDir: /workspaces/ghidrecomp/.symbols, storageLevel: -1],\n symbolServers:\n HttpSymbolServer: [ url: https://msdl.microsoft.com/download/symbols/, storageLevel: -1]\n HttpSymbolServer: [ url: https://chromium-browser-symsrv.commondatastorage.googleapis.com/, storageLevel: -1]\n HttpSymbolServer: [ url: https://symbols.mozilla.org/, storageLevel: -1]\n HttpSymbolServer: [ url: https://software.intel.com/sites/downloads/symbols/, storageLevel: -1]\n HttpSymbolServer: [ url: https://driver-symbols.nvidia.com/, storageLevel: -1]\n HttpSymbolServer: [ url: https://download.amd.com/dir/bin/, storageLevel: -1]\nAnalyzing program afd.sys.10.0.22621.1344\nINFO PDB analyzer parsing file: /workspaces/ghidrecomp/.symbols/afd.pdb/14FBAE3662AD9F7B9D33AA9228D2554A1/afd.pdb (PdbUniversalAnalyzer) \nINFO Resolve time: 0 mS (DefaultPdbApplicator) \nINFO resolveCount: 0 (DefaultPdbApplicator) \nINFO PDB Terminated Normally (DefaultPdbApplicator) \nWARN Decompiling 1c0001340, pcode error at 1c000000c: Unable to resolve constructor at 1c000000c (DecompileCallback) \nINFO Packed database cache: /tmp/vscode-Ghidra/packed-db-cache (PackedDatabaseCache) \nWARN Decompiling 1c0001340, pcode error at 1c000000c: Unable to resolve constructor at 1c000000c (DecompileCallback) \nINFO -----------------------------------------------------\n ASCII Strings 0.343 secs\n Apply Data Archives 0.548 secs\n Call Convention ID 0.025 secs\n Call-Fixup Installer 0.013 secs\n Create Address Tables 0.039 secs\n Create Address Tables - One Time 0.076 secs\n Create Function 0.232 secs\n Data Reference 0.126 secs\n Decompiler Parameter ID 10.939 secs\n Decompiler Switch Analysis 0.442 secs\n Demangler Microsoft 0.089 secs\n Disassemble 0.007 secs\n Disassemble Entry Points 1.959 secs\n Disassemble Entry Points - One Time 0.005 secs\n Embedded Media 0.020 secs\n External Entry References 0.000 secs\n Function ID 0.805 secs\n Function Start Search 0.038 secs\n Non-Returning Functions - Discovered 0.132 secs\n Non-Returning Functions - Known 0.012 secs\n PDB Universal 2.810 secs\n Reference 0.104 secs\n Scalar Operand References 0.601 secs\n Shared Return Calls 0.219 secs\n Stack 5.164 secs\n Subroutine References 0.113 secs\n Subroutine References - One Time 0.026 secs\n Windows x86 PE Exception Handling 0.027 secs\n Windows x86 PE RTTI Analyzer 0.005 secs\n Windows x86 Thread Environment Block (TEB) Analyzer 0.038 secs\n WindowsResourceReference 0.124 secs\n x86 Constant Reference Analyzer 5.755 secs\n-----------------------------------------------------\n Total Time 30 secs\n-----------------------------------------------------\n (AutoAnalysisManager) \nDecompiling 1275 functions using 8 threads\nSetup 8 decompliers\nWARN Decompiling 1c0001340, pcode error at 1c000000c: Unable to resolve constructor at 1c000000c (DecompileCallback) \nCompleted 100 and 7%\nCompleted 200 and 15%\nCompleted 300 and 23%\nCompleted 400 and 31%\nCompleted 500 and 39%\nCompleted 600 and 47%\nCompleted 700 and 54%\nCompleted 800 and 62%\nCompleted 900 and 70%\nCompleted 1000 and 78%\nCompleted 1100 and 86%\nCompleted 1200 and 94%\nDecompiled 1275 functions for afd.sys.10.0.22621.1344 in 13.469883680343628\nWrote 1275 decompilations for afd.sys.10.0.22621.1344 to decompilations/afd.sys.10.0.22621.1344 in 3.174959659576416\n```\n\n### Decompilation Output Dir\n```bash\n$ tree ghidrecomps | more\nghidrecomps/\n\u2514\u2500\u2500 afd.sys\n \u251c\u2500\u2500 AFDETW_TRACEDATA_INDICATION-1c0008d00.c\n \u251c\u2500\u2500 AFDETW_TRACEDISCONNECT-1c000f884.c\n \u251c\u2500\u2500 AFDETW_TRACELISTEN-1c0016778.c\n \u251c\u2500\u2500 AFDETW_TRACEOPTION-1c0012660.c\n \u251c\u2500\u2500 AFDETW_TRACERECV-1c0001e38.c\n \u251c\u2500\u2500 AFDETW_TRACERECVDATAGRAM-1c0009ef0.c\n \u251c\u2500\u2500 AFDETW_TRACESEND-1c000d19c.c\n \u251c\u2500\u2500 AFDETW_TRACESENDDATAGRAM-1c0007d10.c\n \u251c\u2500\u2500 AFDETW_TRACESENDMSG-1c0015afc.c\n \u251c\u2500\u2500 AFDETW_TRACESENDTO-1c00162dc.c\n \u251c\u2500\u2500 AFDETW_TRACESTATUS-1c00204d2.c\n \u251c\u2500\u2500 AFDETW_TRACETRANSFER-1c004189c.c\n \u251c\u2500\u2500 AFDETW_TRACEWAITLISTEN-1c0013674.c\n \u251c\u2500\u2500 AFD_PCW_INCREMENT_DROPPED_DATAGRAMS-1c00208e4.c\n \u251c\u2500\u2500 AFD_PCW_INCREMENT_REJECTED_CONNECTIONS-1c0032aa4.c\n \u251c\u2500\u2500 AfdAbortConnection-1c0033ec4.c\n \u251c\u2500\u2500 AfdAbortTPackets-1c003d5ec.c\n \u251c\u2500\u2500 AfdAccept-1c0018300.c\n \u251c\u2500\u2500 AfdAcceptCore-1c00187d8.c\n \u251c\u2500\u2500 AfdAcquireReadLock-1c0020b54.c\n \u251c\u2500\u2500 AfdAcquireReadLockAtDpcLevel-1c000b0f4.c\n \u251c\u2500\u2500 AfdAcquireWriteLock-1c001b8ac.c\n \u251c\u2500\u2500 AfdAddAddressHandler-1c00662f0.c\n \u251c\u2500\u2500 AfdAddConnectedReference-1c000f334.c\n \u251c\u2500\u2500 AfdAddConnectionToTimerWheel-1c0036520.c\n \u251c\u2500\u2500 AfdAddFreeConnection-1c006d7cc.c\n \u251c\u2500\u2500 AfdAddressListChange$filt$0-1c001dcb7.c\n \u251c\u2500\u2500 AfdAddressListChange$filt$1-1c001dce0.c \n \u251c\u2500\u2500 AfdBuildSendMsgTracker-1c00682ac.c\n... several lines omitted\n ```\n\n ```bash\n $ cat decompilations/afd.sys.10.0.22621.1415/AfdGetRemoteAddress-1c0065500.c \n```\n\n```c\nvoid AfdGetRemoteAddress(longlong param_1,undefined8 param_2,char param_3,undefined8 param_4,\n undefined8 param_5,void *param_6,uint param_7,ulonglong *param_8)\n\n{\n ushort uVar1;\n short *psVar2;\n uint uVar3;\n ulonglong uVar4;\n undefined uVar5;\n void *_Src;\n undefined8 unaff_RBX;\n undefined8 unaff_RSI;\n undefined unaff_DIL;\n char cVar7;\n ulonglong _Size;\n undefined unaff_R14B;\n undefined unaff_R15B;\n undefined unaff_retaddr;\n undefined uVar8;\n short *psVar9;\n undefined in_stack_ffffffffffffffe0;\n short *psVar6;\n \n psVar2 = *(short **)(param_1 + 0x18);\n *param_8 = 0;\n psVar6 = psVar2;\n cVar7 = param_3;\n psVar9 = psVar2;\n uVar4 = AfdLockEndpointContext((longlong)psVar2);\n uVar5 = SUB81(psVar6,0);\n uVar8 = SUB81(psVar9,0);\n if (((uVar4 != 0) && (*psVar2 == -0x502e)) && (*(char *)(psVar2 + 1) == '\\x04')) {\n uVar1 = psVar2[0x5d];\n uVar5 = (undefined)uVar1;\n uVar3 = (uint)(ushort)psVar2[0x5c] + (uint)uVar1;\n if (uVar3 < *(uint *)(psVar2 + 0x74) || uVar3 == *(uint *)(psVar2 + 0x74)) {\n if (uVar1 <= param_7) {\n if (param_3 != '\\0') {\n ProbeForWrite(param_6,uVar1,1);\n }\n _Size = (ulonglong)(ushort)psVar2[0x5d];\n _Src = (void *)((ushort)psVar2[0x5c] + uVar4);\n memcpy(param_6,_Src,_Size);\n *param_8 = (ulonglong)*(uint *)(psVar2 + 0x74);\n FUN_1c00655e1((char)param_6,(char)_Src,(char)_Size,(undefined)param_4,\n in_stack_ffffffffffffffe0,unaff_R15B,unaff_R14B,unaff_DIL,unaff_retaddr,uVar8,\n unaff_RBX,unaff_RSI);\n return;\n }\n FUN_1c00655e1(uVar5,(undefined)param_2,cVar7,(undefined)param_4,in_stack_ffffffffffffffe0,\n unaff_R15B,unaff_R14B,unaff_DIL,unaff_retaddr,uVar8,unaff_RBX,unaff_RSI);\n return;\n }\n }\n FUN_1c00655e1(uVar5,(undefined)param_2,cVar7,(undefined)param_4,in_stack_ffffffffffffffe0,\n unaff_R15B,unaff_R14B,unaff_DIL,unaff_retaddr,uVar8,unaff_RBX,unaff_RSI);\n return;\n}\n```\n\n## Example usage in Docker container\n\n\n### Command (Host)\n```bash\n% mkdir ghidrecomps\n% docker run --rm -it -v $(pwd)/ghidrecomps:/ghidrecomps ghcr.io/clearbluejar/ghidrecomp:latest\nUnable to find image 'ghcr.io/clearbluejar/ghidrecomp:latest' locally\nlatest: Pulling from clearbluejar/ghidrecomp\ndf2021ddb7d6: Already exists\n8d647f1dd7e7: Already exists\n5cdd9a70365f: Already exists\n95089c600b36: Already exists\n031bfcddba4a: Already exists\n3e388e9ee67f: Already exists\nc8dd6e41498c: Already exists\n6997e1686b99: Already exists\nee33bc143a6a: Already exists\n5be89ff28daf: Already exists\nba22b50e2816: Already exists\na10ea6edf9a9: Already exists\n01795477b75e: Already exists\n85b3b893a1c1: Already exists\n53738c41768c: Already exists\nbd57d1a46c3c: Already exists\n117d78b0cfb7: Already exists\n15235f090f28: Already exists\n4f4fb700ef54: Pull complete\n13c463db881b: Pull complete\ndac212319919: Pull complete\n6855adc3f8b8: Pull complete\n96069363e29e: Pull complete\nb7f172785aba: Pull complete\n05aed184d971: Pull complete\n611f58da3b2c: Pull complete\nDigest: sha256:1e7d47267b7a0a31805822c11f891cd502485a42c88bb0ad6292a34e930c6108\nStatus: Downloaded newer image for ghcr.io/clearbluejar/ghidrecomp:latest\nusage: ghidrecomp [-h] [--cppexport] [--filter FILTERS] [--project-path PROJECT_PATH] [--gdt [GDT]] [-o OUTPUT_PATH] [-v] [--skip-cache]\n [--sym-file-path SYM_FILE_PATH | -s SYMBOLS_PATH | --skip-symbols] [-t THREAD_COUNT] [--va] [--fa] [--max-ram-percent MAX_RAM_PERCENT] [--print-flags]\n [--callgraphs] [--callgraph-filter CALLGRAPH_FILTER] [--mdd MAX_DISPLAY_DEPTH] [--max-time-cg-gen MAX_TIME_CG_GEN]\n [--cg-direction {calling,called,both}]\n bin\nghidrecomp: error: the following arguments are required: bin\n```\n\n### Run in docker on /bin/ls\n```bash\n$ docker run --rm -it -v $(pwd)/ghidrecomps:/ghidrecomps ghcr.io/clearbluejar/ghidrecomp:latest /bin/ls\n```\n\n#### Output\n```bash\nStarting decompliations: Namespace(bin='/bin/ls', cppexport=False, filters=None, project_path='.ghidra_projects', gdt=None, output_path='decompilations', skip_cache=False, sym_file_path=None, symbols_path='.symbols', skip_symbols=False, thread_count=12, va=False, fa=False, max_ram_percent=50.0, print_flags=False, callgraphs=False, callgraph_filter='.', max_display_depth=None, max_time_cg_gen=5, cg_direction='calling')\nINFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization)\nINFO Using log file: /home/vscode/.ghidra/.ghidra_11.0_PUBLIC/application.log (LoggingInitialization)\nINFO Loading user preferences: /home/vscode/.ghidra/.ghidra_11.0_PUBLIC/preferences (Preferences)\nINFO Searching for classes... (ClassSearcher)\nINFO Class search complete (566 ms) (ClassSearcher)\nINFO Initializing SSL Context (SSLContextInitializer)\nINFO Initializing Random Number Generator... (SecureRandomFactory)\nINFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory)\nINFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory)\nINFO Creating project: /home/vscode/.ghidra_projects/ls/ls (DefaultProject)\nINFO Starting cache cleanup: /tmp/vscode-Ghidra/fscache2 (FileCacheMaintenanceDaemon)\nINFO Finished cache cleanup, estimated storage used: 0 (FileCacheMaintenanceDaemon)\nINFO Using Loader: Executable and Linking Format (ELF) (AutoImporter)\nINFO Using Language/Compiler: AARCH64:LE:64:v8A:default (AutoImporter)\nSetting up Symbol Server for symbols...\npath: .symbols level: 1\nLoaded well known /ghidra/Ghidra/Configurations/Public_Release/data/PDB_SYMBOL_SERVER_URLS.pdburl' length: 883'\nSymbol Server Configured path: SymbolServerService:\n\tsymbolStore: LocalSymbolStore: [ rootDir: /home/vscode/.symbols, storageLevel: -1],\n\tsymbolServers:\n\t\tHttpSymbolServer: [ url: https://msdl.microsoft.com/download/symbols/, storageLevel: -1]\n\t\tHttpSymbolServer: [ url: https://chromium-browser-symsrv.commondatastorage.googleapis.com/, storageLevel: -1]\n\t\tHttpSymbolServer: [ url: https://symbols.mozilla.org/, storageLevel: -1]\n\t\tHttpSymbolServer: [ url: https://software.intel.com/sites/downloads/symbols/, storageLevel: -1]\n\t\tHttpSymbolServer: [ url: https://driver-symbols.nvidia.com/, storageLevel: -1]\n\t\tHttpSymbolServer: [ url: https://download.amd.com/dir/bin/, storageLevel: -1]\nFailed to find pdb for ls - .ProgramDB\nAnalyzing program ls...\nRunning analyzers...\nINFO DWARF external debug information found: ExternalDebugInfo [filename=127c37a4c459cf01639f6ded2fcf11a49d3da9.debug, crc=2d1e7054, hash=9f127c37a4c459cf01639f6ded2fcf11a49d3da9] (ExternalDebugFilesService)\nINFO Unable to find DWARF information, skipping DWARF analysis (DWARFAnalyzer)\nINFO Packed database cache: /tmp/vscode-Ghidra/packed-db-cache (PackedDatabaseCache)\nINFO Applied data type archive: generic_clib_64 (ApplyDataArchiveAnalyzer)\nINFO -----------------------------------------------------\n AARCH64 ELF PLT Thunks 0.063 secs\n ASCII Strings 0.139 secs\n Apply Data Archives 0.575 secs\n Basic Constant Reference Analyzer 0.867 secs\n Call Convention ID 0.004 secs\n Call-Fixup Installer 0.005 secs\n Create Address Tables 0.022 secs\n Create Address Tables - One Time 0.012 secs\n Create Function 0.000 secs\n DWARF 0.007 secs\n Data Reference 0.022 secs\n Decompiler Switch Analysis 0.982 secs\n Demangler GNU 0.027 secs\n Disassemble 0.008 secs\n Disassemble Entry Points 0.521 secs\n Embedded Media 0.008 secs\n External Entry References 0.000 secs\n Function Start Search 0.017 secs\n Function Start Search After Code 0.009 secs\n Function Start Search After Data 0.010 secs\n Function Start Search delayed - One Time 0.003 secs\n GCC Exception Handlers 0.196 secs\n Non-Returning Functions - Discovered 0.024 secs\n Non-Returning Functions - Known 0.003 secs\n Reference 0.064 secs\n Shared Return Calls 0.035 secs\n Stack 0.984 secs\n Subroutine References 0.023 secs\n-----------------------------------------------------\n Total Time 4 secs\n-----------------------------------------------------\n (AutoAnalysisManager)\nINFO Opening project: /home/vscode/.ghidra_projects/ls/ls (DefaultProject)\nDecompiling 566 functions using 12 threads\nSetup 12 decompliers\nDecompiled 100 and 17%\nDecompiled 200 and 35%\nDecompiled 300 and 53%\nDecompiled 400 and 70%\nDecompiled 500 and 88%\nDecompiled 566 functions for ls in 1.9280855655670166\n0 decompilations already existed.\nWrote 566 decompilations for ls to decompilations/ls in 0.06782746315002441\n```\n\n\n### Decompilation Output Dir\n\n```bash\nvscode \u279c /tmp $ tree ghidrecomps\nghidrecomps\n\u2514\u2500\u2500 ls\n \u251c\u2500\u2500 _ITM_deregisterTMCloneTable-00134078.c\n \u251c\u2500\u2500 _ITM_registerTMCloneTable-00134358.c\n \u251c\u2500\u2500 __DT_FINI-00118930.c\n \u251c\u2500\u2500 __DT_INIT-00103730.c\n \u251c\u2500\u2500 __assert_fail-00103da0.c\n \u251c\u2500\u2500 __assert_fail-00134370.c\n \u251c\u2500\u2500 __ctype_b_loc-00103c00.c\n \u251c\u2500\u2500 __ctype_b_loc-00134288.c\n \u251c\u2500\u2500 __libc_start_main-00134190.c\n \u251c\u2500\u2500 __lxstat-00103ce0.c\n \u251c\u2500\u2500 __lxstat-001342f8.c\n \u251c\u2500\u2500 exit-00134050.c\n \u251c\u2500\u2500 fclose-00103990.c\n \u251c\u2500\u2500 fclose-00134138.c\n \u251c\u2500\u2500 fflush-00103ca0.c\n \u251c\u2500\u2500 fflush-001342d8.c\n \u251c\u2500\u2500 fflush_unlocked-00103c90.c\n \u251c\u2500\u2500 fflush_unlocked-001342d0.c\n \u251c\u2500\u2500 fgetfilecon-001037a0.c\n \u251c\u2500\u2500 fgetfilecon-00134018.c\n \u251c\u2500\u2500 fileno-00103950.c\n \u251c\u2500\u2500 fileno-00134110.c\n \u251c\u2500\u2500 fnmatch-00103c80.c\n \u251c\u2500\u2500 fnmatch-001342c8.c\n \u251c\u2500\u2500 fputc_unlocked-00103d20.c\n \u251c\u2500\u2500 fputc_unlocked-00134320.c\n \u251c\u2500\u2500 fputs_unlocked-00103d40.c\n... several more omitted\n```\n\n```bash\n cat decompilations/ls/FUN_0010eb20-0010eb20.c\n```\n```c\nvoid * FUN_0010eb20(void *param_1,char *param_2,void **param_3)\n\n{\n size_t __n;\n long lVar1;\n long lVar2;\n size_t __n_00;\n void *__dest;\n undefined *puVar3;\n ulong uVar4;\n undefined local_41;\n\n lVar1 = FUN_0010e740();\n lVar2 = FUN_0010e7a0(lVar1);\n __n = (lVar1 - (long)param_1) + lVar2;\n __n_00 = strlen(param_2);\n if (lVar2 == 0) {\n local_41 = 0x2e;\n if (*param_2 != '/') {\n local_41 = 0;\n }\n uVar4 = (ulong)(*param_2 == '/');\n }\n else if (*(char *)((long)param_1 + (__n - 1)) == '/') {\n local_41 = 0;\n uVar4 = 0;\n }\n else {\n local_41 = 0x2f;\n if (*param_2 == '/') {\n local_41 = 0;\n }\n uVar4 = (ulong)(*param_2 != '/');\n }\n __dest = malloc(__n + 1 + __n_00 + uVar4);\n if (__dest != (void *)0x0) {\n puVar3 = (undefined *)mempcpy(__dest,param_1,__n);\n *puVar3 = local_41;\n if (param_3 != (void **)0x0) {\n *param_3 = puVar3 + uVar4;\n }\n puVar3 = (undefined *)mempcpy(puVar3 + uVar4,param_2,__n_00);\n *puVar3 = 0;\n }\n return __dest;\n}\n```\n\n## Example Usage with Windows afd.sys Callgraph:\n\n### Command line\n\nGenerate a decompilation and callgraph of all functions matching the function `--filter AfdRestart` and `--callgraph-filter AfdRestart`. \n\n```bash\nghidrecomp tests/data/afd.sys.10.0.22621.1415 --callgraph-filter AfdRestart --filter AfdRestart --callgraphs\n```\n\n### Output\n\n```bash\nStarting decompliations: Namespace(bin='tests/data/afd.sys.10.0.22621.1415', cppexport=False, filters=['AfdRestart'], project_path='.ghidra_projects', gdt=None, output_path='decompilations', skip_cache=True, sym_file_path=None, symbols_path='.symbols', skip_symbols=False, thread_count=8, va=False, fa=False, max_ram_percent=50.0, print_flags=False, callgraphs=True, callgraph_filter='AfdRestart', max_display_depth=None, max_time_cg_gen=5, cg_direction='calling')\nINFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization) \nINFO Using log file: /home/vscode/.ghidra/.ghidra_10.3_PUBLIC/application.log (LoggingInitialization) \nINFO Loading user preferences: /home/vscode/.ghidra/.ghidra_10.3_PUBLIC/preferences (Preferences) \nINFO Searching for classes... (ClassSearcher) \nINFO Class search complete (710 ms) (ClassSearcher) \nINFO Initializing SSL Context (SSLContextInitializer) \nINFO Initializing Random Number Generator... (SecureRandomFactory) \nINFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory) \nINFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory) \nINFO Opening project: /workspaces/ghidrecomp/.ghidra_projects/afd.sys.10.0.22621.1415/afd.sys.10.0.22621.1415 (DefaultProject) \nSetting up Symbol Server for symbols...\npath: .symbols level: 1\nLoaded well known /ghidra/Ghidra/Configurations/Public_Release/data/PDB_SYMBOL_SERVER_URLS.pdburl' length: 883'\nSymbol Server Configured path: SymbolServerService:\n symbolStore: LocalSymbolStore: [ rootDir: /workspaces/ghidrecomp/.symbols, storageLevel: -1],\n symbolServers:\n HttpSymbolServer: [ url: https://msdl.microsoft.com/download/symbols/, storageLevel: -1]\n HttpSymbolServer: [ url: https://chromium-browser-symsrv.commondatastorage.googleapis.com/, storageLevel: -1]\n HttpSymbolServer: [ url: https://symbols.mozilla.org/, storageLevel: -1]\n HttpSymbolServer: [ url: https://software.intel.com/sites/downloads/symbols/, storageLevel: -1]\n HttpSymbolServer: [ url: https://driver-symbols.nvidia.com/, storageLevel: -1]\n HttpSymbolServer: [ url: https://download.amd.com/dir/bin/, storageLevel: -1]\nUsing file gdts: [windows_vs12_64]\nafd.sys.10.0.22621.1415 - .ProgramDB already analyzed... skipping\nINFO Opening project: /workspaces/ghidrecomp/.ghidra_projects/afd.sys.10.0.22621.1415/afd.sys.10.0.22621.1415 (DefaultProject) \nSkipped 1241 functions that failed to match any of ['AfdRestart']\nDecompiling 34 functions using 8 threads\nSetup 8 decompliers\nDecompiled 34 functions for afd.sys.10.0.22621.1415 in 0.8643746376037598\n0 decompilations already existed.\nWrote 34 decompilations for afd.sys.10.0.22621.1415 to decompilations/afd.sys.10.0.22621.1415 in 0.0516660213470459\n\nError: time expired for AfdLRRepostReceive func: AfdRestartBufferSend. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for AfdReuseConnection func: AfdRestartDeviceControl. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for AfdConnect func: AfdRestartSend. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for WskProControlSocketCore func: AfdRestartAbort. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for WskProIRPControlSocket func: AfdRestartDelayedAcceptListen. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for AfdSanAcceptCore func: AfdRestartDisconnect. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for AfdTPacketsBufferRead func: AfdRestartMdlReadComplete. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for AfdSanAcceptCore func: AfdRestartTPDetachedSend. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for AfdTLBindSecurityComplete func: AfdRestartTPacketsBufferRead. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for FUN_1c0023892 func: AfdRestartTPacketsMdlRead. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\n\nError: time expired for WskProIRPControlSocket func: AfdRestartTPacketsSend. max_run_time: 5 Increase timeout with --max-time-cg-gen MAX_TIME_CG_GEN\nCallgraphed 34 functions for afd.sys.10.0.22621.1415 in 10.055054426193237\nWrote 34 callgraphs for afd.sys.10.0.22621.1415 to decompilations/afd.sys.10.0.22621.1415/callgraphs in 10.055152416229248\n0 callgraphs already existed.\n\n```\n\n### Sample Calling Callgraph Output AfdRestartDgConnect:\n\n```mermaid\nflowchart TD\nclassDef sh fill:#339933\n0[\"AfdRestartBufferReceiveWithUserIrp\"] --> 1[\"AfdLRRepostReceive\"]\n0 --> 2[\"AfdTLPostPendedReceives\"]\n3[\"AfdRestartSuperAccept\"] --> 4[\"AfdContinueSuperAccept\"]\n5[\"AfdRestartAccept\"] --> 6[\"AfdServiceSuperAccept\"]\n7[\"AfdIssueDeviceControl\"] --> 8[\"AfdRestartDeviceControl\"]\n9[\"AfdBCommonChainedReceiveEventHandler\"] --> 0\n9 --> 10[\"AfdCommonRestartBufferReceive\"]\n9 --> 11[\"FUN_1c0008952\"]\n12[\"AfdTLConnectedReceiveEventHandler\"]:::sh --> 9\n13[\"AfdBChainedReceiveEventHandler\"] --> 9\n14[\"AfdTdiSetEventHandlers\"] --> 13\n14 --> 15[\"AfdBReceiveExpeditedEventHandler\"]\n14 --> 16[\"AfdBReceiveEventHandler\"]\n17[\"AfdRestartBufferReceive\"] --> 10\n18[\"AfdBind\"]:::sh --> 14\n18:::sh --> 19[\"AfdCreateConnection\"]\n18:::sh --> 20[\"AfdTLBindSecurity\"]\n18:::sh --> 21[\"AfdRestartBindGetAddress\"]\n22[\"AfdRestartSend\"] --> 22\n23[\"AfdTLSendComplete\"] --> 22\n24[\"AfdTLStartVcSend\"] --> 23\n25[\"AfdTLConnectEventHandler\"]:::sh --> 3\n25:::sh --> 26[\"AfdTLDelayedAcceptCompletion\"]\n25:::sh --> 5\n16 --> 0\n16 --> 1\n16 --> 17\n27[\"AfdAccept\"]:::sh --> 28[\"AfdRestartDelayedAccept\"]\n27:::sh --> 29[\"AfdTLCancelResumeDelayAccept\"] \n26 --> 28\n26 --> 30[\"AfdRestartDelayedSuperAccept\"]\n15 --> 16\n31[\"AfdTLCompleteBufferUserReceive\"] --> 0\n32[\"AfdTLPostUserReceive\"] --> 31\n2 --> 32\n10 --> 2\n10 --> 1\n19 --> 7\n33[\"AfdBPostDrainReceive\"] --> 17\n33 --> 34[\"AfdTLCompleteBufferReceive\"]\n33 --> 10\n35[\"AfdRestartSuperConnect\"] --> 36[\"AfdRestartBufferSend\"]\n37[\"AfdConnectEventHandler\"] --> 3\n37 --> 5\n38[\"FUN_1c000e1aa\"] --> 19\n38 --> 39[\"AfdDoDatagramConnect\"]\n40[\"AfdSendQueuedTPSend\"] --> 24\n40 --> 41[\"AfdTLBufferedSendComplete\"]\n42[\"AfdConnect\"]:::sh --> 38\n43[\"AfdSuperConnect\"]:::sh --> 35\n43:::sh --> 41\n44[\"AfdTLAbortEventHandler\"]:::sh --> 26\n29 --> 26\n1 --> 33\n1 --> 0\n45[\"AfdCompleteTPackets\"] --> 40\n45 --> 46[\"AfdTPacketsWorker\"]\n45 --> 47[\"AfdStartNextQueuedTransmit\"]\n48[\"FUN_1c0027fa2\"] --> 19\n49[\"FUN_1c0021418\"] --> 36\n49 --> 41\n50[\"AfdFastConnectionSend\"] --> 49\n51[\"AfdBInitDrainBytesInTransport\"] --> 1\n52[\"FUN_1c002246f\"] --> 51\n52 --> 53[\"FUN_1c0004001\"]\n54[\"FUN_1c002ed68\"] --> 29\n54 --> 30\n54 --> 54\n54 --> 55[\"AfdRestartSuperAcceptListen\"]\n56[\"FUN_1c002d729\"] --> 37\n57[\"AfdTLBindComplete2\"] --> 48\n58[\"AfdRestartTPacketsMdlRead\"] --> 45\n58 --> 46\n58 --> 59[\"AfdTPacketsContinueAfterRead\"]\n60[\"AfdTLDgramBindComplete\"] --> 57\n61[\"AfdFastIoDeviceControl\"]:::sh --> 50\n62[\"AfdTLBindComplete\"] --> 60\n62 --> 63[\"FUN_1c0027f76\"]\n62 --> 57\n64[\"AfdTLBind\"] --> 62\n65[\"AfdTLBindSecurityComplete\"] --> 64\n65 --> 20\n65 --> 57\n20 --> 65\n20 --> 64\n63 --> 60\n66[\"AfdBReceive\"] --> 52\n66 --> 67[\"FUN_1c0022408\"]\n68[\"AfdStartListen\"]:::sh --> 56\n69[\"AfdTPacketsMdlRead\"] --> 58\n69 --> 59\n30 --> 4\n6 --> 54\n70[\"AfdFastIoWrite\"]:::sh --> 50\n41 --> 36\n71[\"FUN_1c002ec66\"] --> 6\n71 --> 71\n71 --> 72[\"AfdCloseConnection\"]\n46 --> 69\n46 --> 46\n46 --> 73[\"AfdTPacketsSend\"]\n46 --> 74[\"AfdTPacketsBufferRead\"]\n46 --> 75[\"AfdStartNextTPacketsIrp\"]\n76[\"AfdRestartSuperAcceptGetAddress\"] --> 4\n34 --> 10\n4 --> 76\n4 --> 77[\"AfdRestartSuperAcceptReceive\"]\n55 --> 4\n78[\"AfdReceive\"] --> 66\n79[\"AfdCommonRestartTPacketsSend\"] --> 46\n79 --> 73\n80[\"AfdTLRestartTPacketsSend\"] --> 79\n81[\"AfdTLTPacketsSend\"] --> 80\n82[\"AfdDispatch\"] --> 78\n83[\"DriverEntry\"] --> 82\n73 --> 81\n73 --> 84[\"AfdRestartTPacketsSend\"]\n73 --> 75\n85[\"AfdSanConnectHandler\"]:::sh --> 6\n86[\"FUN_1c00128c9\"] --> 6\n87[\"AfdSuperAccept\"]:::sh --> 86\n88[\"entry\"]:::sh --> 83\n59 --> 73\n74 --> 59\n74 --> 89[\"AfdRestartTPacketsBufferRead\"]\n89 --> 59\n89 --> 46\n90[\"FUN_1c0023892\"] --> 51\n90 --> 90\n90 --> 33\n91[\"AfdGetAddress\"]:::sh --> 92[\"AfdRestartGetAddress\"]\n84 --> 79\n75 --> 46\n47 --> 46\n93[\"AfdCompleteClosePendedTPackets\"] --> 47\n11 --> 1\n94[\"AfdFreeNPConnectionResources\"] --> 93\n95[\"AfdFreeConnectionResources\"] --> 94\n96[\"AfdFreeConnectionEx\"] --> 95\n72 --> 96\n97[\"AfdReturnNicsPackets\"]:::sh --> 72\n53 --> 32\n67 --> 33\n39 --> 98[\"AfdRestartDgConnect\"]\n\n```\n\n### Sample MindMap Output for AfdRestartDgConnect\n\n```mermaid\nmindmap\nroot((AfdRestartDgConnect))\n AfdBCommonChainedReceiveEventHandler\n AfdBChainedReceiveEventHandler\n AfdTLSendComplete\n AfdBReceiveEventHandler\n AfdBReceiveExpeditedEventHandler\n AfdBReceiveEventHandler\n AfdTdiSetEventHandlers\n AfdTLCompleteBufferUserReceive\n AfdTLPostUserReceive\n AfdIssueDeviceControl\n AfdTLDelayedAcceptCompletion\n AfdCreateConnection\n AfdTLStartVcSend\n AfdRestartSuperConnect\n AfdTLDelayedAcceptCompletion\n AfdBPostDrainReceive\n AfdCreateConnection\n FUN_1c0021418\n AfdLRRepostReceive\n AfdTLCancelResumeDelayAccept\n AfdConnectEventHandler\n AfdFastConnectionSend\n FUN_1c002d729\n FUN_1c002ed68\n FUN_1c002d729\n AfdTLBufferedSendComplete\n FUN_1c0021418\n AfdServiceSuperAccept\n AfdContinueSuperAccept\n AfdServiceSuperAccept\n AfdTLBufferedSendComplete\n AfdSendQueuedTPSend\n AfdTLCancelResumeDelayAccept\n AfdServiceSuperAccept\n\n\n```\n\n## Example BSim signature generation\n\nUse `ghidrecomp` to generate Ghidra BSim compatible feature vectors. These XMLs can later be added to a BSim database. \n\n### Command line\n```bash\nghidrecomp --bsim --bsim-cat newcat:newval\n```\n\n### Output\n```bash\n(.env) vscode \u279c /workspaces/ghidrecomp (bsim) $ ghidrecomp --bsim --bsim-cat newcat:newval /bin/ls\nStarting decompliations: Namespace(bin='/bin/ls', cppexport=False, filters=None, project_path='ghidra_projects', gdt=None, output_path='ghidrecomps', skip_cache=False, sym_file_path=None, symbols_path='symbols', skip_symbols=False, thread_count=12, va=False, fa=False, max_ram_percent=50.0, print_flags=False, callgraphs=False, callgraph_filter='.', max_display_depth=None, max_time_cg_gen=5, cg_direction='calling', bsim=True, bsim_sig_path='bsim-xmls', bsim_template='medium_nosize', bsim_cat=['newcat:newval'])\nINFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization) \nINFO Using log file: /home/vscode/.ghidra/.ghidra_11.0_PUBLIC/application.log (LoggingInitialization) \nINFO Loading user preferences: /home/vscode/.ghidra/.ghidra_11.0_PUBLIC/preferences (Preferences) \nINFO Searching for classes... (ClassSearcher) \nINFO Class search complete (660 ms) (ClassSearcher) \n<several lines omitted>\nDecompiled 566 functions for ls in 2.4373884201049805\n0 decompilations already existed.\nWrote 566 decompilations for ls to ghidrecomps/ls/decomps in 0.16666936874389648\nGenerating BSim sigs for 566 functions for ls\nAdding category type:newcat val:newval\nCategories added: [('newcat', 'newval')]\nGenerated BSim sigs for 451 functions in 1.248070478439331\nSigs are in ghidrecomps/bsim-xmls/sigs_35d820f0762118215cbe19fb44e612ca_ls\n```\n\n### Files generated\n\n```bash\n$ tree ghidrecomps\nghidrecomps/\n\u251c\u2500\u2500 bsim-xmls\n\u2502 \u251c\u2500\u2500 sigs_35d820f0762118215cbe19fb44e612ca_ls\n\u2502 \u251c\u2500\u2500 sigs_b4c4b6ef5980df8440fb26daffb4118f_afd.sys.10.0.22621.1415\n\u2502 \u2514\u2500\u2500 sigs_fffefca59f1dcb04e318b6b26fa1b50e_ls_aarch64\n\u251c\u2500\u2500 ghidra_projects\n\u2502 \u251c\u2500\u2500 ls\n\u2502 \u2502 \u2514\u2500\u2500 ls.rep\n\u251c\u2500\u2500 ls\n\u2502 \u2514\u2500\u2500 decomps\n```\n\n\n## Installation\n\n1. [Download](https://github.com/NationalSecurityAgency/ghidra/releases) and [install Ghidra](https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/stable/GhidraDocs/InstallationGuide.html#Install) and [Java](https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/stable/GhidraDocs/InstallationGuide.html#JavaNotes) required for Ghidra.\n2. Set Ghidra Environment Variable `GHIDRA_INSTALL_DIR` to Ghidra install location.\n3. Pip install `ghidrecomp`\n\n### Windows\n\n```powershell\nPS C:\\Users\\user> [System.Environment]::SetEnvironmentVariable('GHIDRA_INSTALL_DIR','C:\\ghidra_10.2.3_PUBLIC_20230208\\ghidra_10.2.3_PUBLIC')\nPS C:\\Users\\user> pip install ghidrecomp\n```\n### Linux / Mac\n\n```bash\nexport GHIDRA_INSTALL_DIR=\"/path/to/ghidra/\"\npip install ghidrecomp\n```\n\n### Devcontainer / Docker\n\nAvoid installing Ghidra and Java on your host by using a **devcontainer**. \n\n#### Option 1 - Devcontainer\n\n[\n \n](\n https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/clearbluejar/ghidrecomp\n)\n\nUse the [.devcontainer](.devcontainer) in this repo. Click the above button if you have VS code installed. If this concept is new to you, check out : [ghidra-python-vscode-devcontainer-skeleton quick setup](https://github.com/clearbluejar/ghidra-python-vscode-devcontainer-skeleton#quick-start-setup---dev-container--best-option) which explains a bit more about dev containers.\n\n#### Option 2 - Docker\n\nUse the published repo image with Ghidra and Java already installed.\n\n```bash\ndocker pull ghcr.io/clearbluejar/ghidrecomp:latest\ndocker run --user vscode --rm -it ghcr.io/clearbluejar/ghidrecomp:latest bash\n```\n\nFrom within the image:\n```bash\nvscode \u279c / $ uname -a\nLinux 4da2fe33369a 5.15.49-linuxkit #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022 x86_64 GNU/Linux\nvscode \u279c / $ ls /ghidra/\nExtensions GPL Ghidra LICENSE bom.json docs ghidraRun ghidraRun.bat licenses server support\nvscode \u279c / $ pip install ghidrecomp\nSuccessfully installed Jpype1-1.4.1 ghidrecomp-0.1.0 packaging-23.0 pyhidra-0.4.1\n```\n\n\n",
"bugtrack_url": null,
"license": "GPL-3.0 license",
"summary": "Python Command-Line Ghidra Decomplier",
"version": "0.5.3",
"project_urls": {
"Homepage": "https://github.com/clearbluejar/ghidrecomp"
},
"split_keywords": [
"ghidra",
"decompiler",
"callgraph",
"bsim"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "f0fe1e4a19806a454c86695342526ae26f8edb4a7364e72ff1a9ac9dfcc092bc",
"md5": "de5dae971189619c501f90c848dfd9f8",
"sha256": "1c723f6d108956a1e06d5d37437701c946a07938cd5fd504dbf1b102f678f583"
},
"downloads": -1,
"filename": "ghidrecomp-0.5.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "de5dae971189619c501f90c848dfd9f8",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 39574,
"upload_time": "2024-01-31T06:15:41",
"upload_time_iso_8601": "2024-01-31T06:15:41.266590Z",
"url": "https://files.pythonhosted.org/packages/f0/fe/1e4a19806a454c86695342526ae26f8edb4a7364e72ff1a9ac9dfcc092bc/ghidrecomp-0.5.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "40172895b776cb071fa6823381f481095260f23690ef125774be1c964d61e73b",
"md5": "4083d5e9f4d9f7ec0ca9debc5f92557b",
"sha256": "fcbc089b077625e266dbac0a3ca4c0d669804816588a9da54baf4cb93b37f8c8"
},
"downloads": -1,
"filename": "ghidrecomp-0.5.3.tar.gz",
"has_sig": false,
"md5_digest": "4083d5e9f4d9f7ec0ca9debc5f92557b",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 60050,
"upload_time": "2024-01-31T06:15:43",
"upload_time_iso_8601": "2024-01-31T06:15:43.230450Z",
"url": "https://files.pythonhosted.org/packages/40/17/2895b776cb071fa6823381f481095260f23690ef125774be1c964d61e73b/ghidrecomp-0.5.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-01-31 06:15:43",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "clearbluejar",
"github_project": "ghidrecomp",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"lcname": "ghidrecomp"
}
JSON
